Once data breaches take on a public life, websites experience a 300% increase in volumetric credential stuffing attacks, many aimed at financial authentications, with the weekends showing the greatest susceptibility.

That is among the revelations from San Francisco-based bot mitigation firm Distil's “The Anatomy of Account Takeover Attacks,” based on data from 600 domains that include login pages. The findings come from the recently launched Distil Research Lab, a team of dedicated analysts who examine the most sophisticated automated threats for some of the world's most attacked websites.

Hackers and fraudsters use bots to execute ATO attacks for a variety of purposes. They can validate login credentials, gain access to credit card data, and sell personally identifiable information on the darknet. They can also use stolen account data to transfer money, purchase goods, or spread political agendas.

Distil Networks found bad bots appeared on every website with login pages, which are among the most abused by hackers and fraudsters. The report analyzed patterns found in ATO attacks, named the most popular tools used to commit these attacks and categorized the three main types of ATO bot attack profiles.

The report also explained the contrasts between simple, moderate and sophisticated attacks, and provides defenders with advice on how to detect and prevent each type of attack.

Key findings Include:

  • In the days following a public breach websites experience three times more credential stuffing attacks than the average of two-three attacks per month.
  • Fifty percent of ATO attacks come in the form of volumetric credential stuffing, where bad bot requests are easily identifiable and attempted in bursts, typically looking like a spike of requests above the baseline. The other half of ATO attacks are through low and slow credential stuffing and credential cracking, identified by consistent, continuous login requests that bad bots run 24/7, often flying under the radar due to its slow pace.
  • Smaller scale “test round” incursions preceded almost 20% of all analyzed attacks.
  • Thirty-nine percent of volumetric ATO attacks occur on a Friday or Saturday. Bot operators schedule attacks when it presumed that fewer security professionals will be around to notice anomalies.

Every time a breach comes to light and exposing consumer credentials, any business with a login page should prepare themselves for a swell of volumetric credential stuffing attacks, Anna Westelius, senior director of security research at Distil Networks said. “While bot operators may be purposeful in their strategy of carrying out ATO attacks, this data also renders them predictable. Organizations must educate themselves to identify the warnings signs and be prepared for times when an attacker may strike.”

Westelius explained a login attack involves a bot or script trying to automatically access a login endpoint. “Either to test sets of credentials or if they have a valid login they can use them somewhere else or to get access to information, PII, credit card data, to sell or distribute.”

Financial institution and fintech type attacks are more direct because of the monetary incentive or very, high value data. When it comes to non-financial data hackers just want to verify the validity of credentials for later use. “(Attackers) get access to so much more when it comes to financial institutions in comparison to other types of websites,” Westelius suggested. “So that's really where we see the highest level of sophistication of attackers.”

“I would say that one of the surprising things is you would not expect absolutely every website to have these types of issues,” Westelius noted. She added Distil researcher were also a bit surprised as to the frequency of these attacks and the weekend liability “We had heard a lot of our customers are complaining about their security not being allowed to go home on Friday and having to work weekends to battle these problems. Attackers really think about when someone's going to be there and try to adapt to when no one's going to notice alarms going off.”

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).